August 3, 2020

Volume X, Number 216

July 31, 2020

Subscribe to Latest Legal News and Analysis

OCR Issues Additional Guidance on HIPAA for Providers and First Responders on COVID-19 Front Lines

On March 24, 2020, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued new HIPAA guidance to help providers and first responders in efforts to combat the COVID-19 pandemic.

OCR’s guidance addresses when HIPAA allows disclosures without patient authorization of identifying health information to first responders – such as law enforcement and emergency medical services personnel – and public health authorities related to individuals infected with or exposed to COVID-19. OCR confirms such disclosures are permissible under HIPAA in certain circumstances, including:

  • If necessary to provide treatment, such as where a hospital coordinates with emergency medical services personnel regarding the transportation of a potential COVID-19 patient;

  • If required by law, such as where confirmed diagnoses of communicable diseases such as COVID-19 must be reported to state public health authorities;

  • If necessary to notify public health authorities to prevent or control the spread of disease, such as disclosures to the Centers for Disease Control and Prevention or to state departments of public health or local health boards authorized by law to receive or collect the information;

  • If first responders are at risk for infection, where authorized by state law (such as M.G.L. c. 111 § 111C in Massachusetts);

  • If disclosure is necessary to prevent or lessen a serious and imminent threat, and is made to someone who can lessen or prevent the threat; or

  • In response to requests from a correctional institution or law enforcement official with custody over the individual who is the subject of the disclosure, as long as the disclosure is necessary for providing health care to the individual, for the health and safety of those around the individual (including law enforcement and corrections officers), or is necessary for the administration of the correctional institution.

OCR further advises that such disclosures generally should adhere to HIPAA’s “minimum necessary” standard for uses and disclosures.  OCR concludes the guidance by providing a few examples of scenarios involving the use or disclosure of PHI to or from first responders and others on the front lines of the COVID-19 response.

OCR’s guidance is well-timed as hospitals and first responders increase coordination to address the COVID-19 pandemic.  Hospitals and other providers would be well-advised to continue monitoring guidance from OCR in support of public health efforts.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 87


About this Author

Conor Duffy Cybersecurity Attorney

Conor Duffy is a member of the firm's Health Law Group and its Data Privacy + Cybersecurity Team. He advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health law issues. He also counsels clients on what measures are needed to safeguard data and patient information.


Conor provides legal counsel to health care clients on various regulatory matters, such as Medicare and Medicaid program compliance, federal fraud and abuse laws, and the Emergency Medical Treatment & Labor Act...